Under the original NIS directive, the specific obligations organisations faced depended on whether they were classed as ‘operators of essential services’ or a ‘digital service provider’. Stricter rules have applied to operators of essential services, a term that encompasses organisations that operate critical infrastructure across sectors such as energy, transport, health and digital infrastructure. A lighter touch regime has applied to digital service providers, a term that has applied to search engines, online marketplaces and cloud computing providers.
NIS2 maintains the tiered system of regulation, with some significant changes.
Under NIS2, organisations classed as ‘essential entities’ will be subject to the strictest requirements and most comprehensive regulatory oversight – including, potentially, on-site inspections and targeted, independent, security audits.
It is likely that most organisations classed as ‘operators of essential services’ under the original NIS directive will be classed as ‘essential entities’ under NIS2. However, the concept of an ‘essential entity’ is much broader and will also capture many organisations that have, to-date, not been subject to the NIS regime – for example, pharmaceutical companies and operators of hydrogen production, storage and transmission.
Equally, the concept of ‘essential entity’ also extends to some businesses that may, until now, have only been subject to the lighter touch framework under the original NIS directive as digital service providers. This is the case, for example, with cloud computing providers. Other technology providers, including data centre service providers, managed service providers, and content delivery network providers, are also classed as ‘essential entities’ under NIS2.
The lighter touch regime under NIS2 will apply to ‘important entities’. Among other things, organisations classed as ‘important entities’ will face less burdensome record keeping duties in respect of the cybersecurity measures they must take to comply with the legislation.
The concept of an ‘important entity’ captures not only providers that have been subject to the original NIS directive, but a raft of other categories of organisation too. It includes manufacturers of computers and vehicles, businesses engaged in food production and processing, chemicals companies and waste management providers.
Though there are specified exceptions to this listed in NIS2, generally the scope of the legislation is limited to organisations fitting within the definitions of essential or important entities that have at least 50 employees and/or an annual turnover of at least €10 million.
Organisations subject to the NIS2 regime will be obliged to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”.
Specific cybersecurity measures endorsed in the legislation include policies on risk analysis and information system security, those regarding incident handling, access control policies and the use of multi-factors authentication or continuous authentication solutions. Supply chain security must also be considered, including the vulnerabilities “specific to each direct supplier and service provider” as well as “the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”.
“Management bodies” must “approve the cybersecurity risk management measures taken” and oversee their implementation. Individuals in those bodies could be held personally liable if the organisation fails to comply with its cybersecurity obligations under the legislation.
The precise cybersecurity measures each organisation must implement to comply with their legal obligations under NIS2 will depend on factors such as their size, exposure to risk, the likelihood of occurrence of incidents and their severity, and the availability and cost of implementing technology or international standards.
NIS2 also set out new cybersecurity incident reporting rules. Any incident that has “a significant impact” on in-scope services must be notified to national computer security incident response teams (CSIRTs) or regulators.
NIS2 defines what is meant by a ‘significant’ incident – these are incidents that have caused or are capable of causing severe operational disruption of the services or financial loss for the entity concerned; or it has affected or are capable of affecting other natural or legal persons by causing considerable material or non-material damage.
A staged approach to incident notification is provided for under the directive.
An “early warning”, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact, must be notified without undue delay and within 24 hours of awareness of the incident at the latest. A second report must be submitted without undue delay and in any event within 72 hours that includes an update on the initial information provided and provides an initial assessment of the incident, including its severity and impact, as well as, where available, “the indicators of compromise”.
A final report must be submitted not later than one month after the second report was shared. CSIRTs or regulators can request intermediate reports, which would include “relevant status updates”. The final report must include a detailed description of the incident, including its severity and impact; the type of threat or root cause that is likely to have triggered the incident; applied and ongoing mitigation measures; and where applicable, the cross-border impact of the incident. If the incident remains ongoing at the time the final report is otherwise due, a progress report should be submitted instead and a final report provided within a month of the issue being handled.
The European Commission is obliged to adopt certain implementing acts to supplement the provisions in NIS2. These include implementing acts for cloud computing providers, data centre providers, content delivery network providers, managed service providers, and providers of online marketplaces, of online search engines and of social networking services platforms, which specify the cases in which an incident shall be considered to be ‘significant’ and therefore subject to the reporting requirements.
Fines of up to €10m, or 2% of an organisations’ annual global turnover, whichever is highest, can be imposed on essential entities. For important entities, the equivalent thresholds are €7m and 1.4% of turnover.